On Thu, Aug 21, 2025 at 02:37:33PM +0300, Avram-Teodor Berindeie wrote:
> > I am not entirely sure what you're trying to say above, but should
> > clarify that with solid support in Postfix to use a custom "openssl.cnf"
> > file and/or set a custom application name (perhaps even different names
> > for different master.cf services) it doesn't really make sense to keep
> > adding Postfix parameters to mirror every new OpenSSL feature.
>
> OK I tested it and it works, I have only one question?
> Do I need to copy the default openssl.conf file (located in the path
> /etc/ssl/openssl.conf)
My typo upthread, it is of course "openssl.cnf" without the expected "o".
> to the path /etc/postfix/ and add the settings suggested in the first
> answer to that file?
There's generally nothing there that's relevant to Postfix. By default
Postfix does not load the system-wide openssl.cnf file. This avoids
avoids collateral damage to opportunistic security in SMTP from overly
strict security policy that is arguably appropriate for mandatory TLS.
> I ask this because in this case, with each change to the default
> openssl.conf file (possible when updating openssl) I will have to recopy
> the file to the path /etc/postfix/ and add the settings again.
No need. Only only to change the Postfix specific OpenSSL config file
if your Postfix requirements change. Of course you can also use the
system-wide file and just define a custom "tls_config_name", but since
IIRC nothing else in that file is relevant to Postfix it hardly matters.
--
Viktor. 🇺🇦 Слава Україні!
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
